Open ida8.3. Debugging.
Here comes three interfaces:
/ping
/user/:name
/admin
/ping is fixed to echo ‘pong’
/user is seemed to query the context of main.db
Let’s take a look at /admin :
It checks whether ‘X-Forwarded-For’ is Fixed.
And a comparing to ‘r00dkc4b’
As i sent a POST request by Burpsuite for testing, it verify authorization for me.
Continue searching on username/password.
In here, program calls github_com_gin_gonic_gin_BasicAuthForRealm
Delving into the development document:
There should be username and password in plaintext around auth.